The world has moved and became mobile. But where there is mobile technology, there is also the risk of losing it, forgetting or being stolen. How not to lose the data, to protect it from prying eyes and to find the stolen equipment? Let’s try to figure it out.
Let’s start, as usual, with the basics, namely the login password. It would seem that everything here is simple: any graphic environment has a built-in screen blocker that requires a password to be entered after a few minutes of machine downtime. But what if you do not use a graphical environment and your choice is a lightweight window manager like Fluxbox or i3?
There are many different screen blockers, but I would recommend slocking. It is an extremely simple blocker without any graphic controls, input windows and session switches. All it does is flood the screen with black. When you enter a password, the screen turns blue and when you press Enter, if the password is wrong, it turns red. When they see this, most “crackers” will go into a stupor and decide that the computer just hung up.
You can either start slock directly (then the screen will be locked immediately) or automatically after you wake up your notebook. In the second case you will need the following systemd-units:
[Unit]. Description=Lock X session using slock for user %i Before=sleep.target [Service] User=%i Environment=DISPLAY=:0 ExecStartPre=/usr/bin/xset dpms force suspend ExecStart=/usr/bin/slock [Install] WantedBy=sleep.target
Save it to
/etc/systemd/system/[email protected].service and activate units (USER is your name on the system):
$ sudo systemctl enable slock@USER.service.
Another extremely simple but therefore no less valuable recommendation is to set a BIOS password and disable booting from any media except the hard drive. This will save you from those who will try to boot from a flash drive to read your drive from another operating system.
Many laptops also allow you to set a password for booting, rebooting and accessing the hard drive. The latter works at the level of an ATA controller, it will save if someone can still boot up their operating system, but will be useless against physically removing the hard disk.
Almost all popular distributions allow to encrypt the hard disk at the stage of operating system installation. Such encryption makes it almost impossible to extract data from the disk (with a sufficiently long password), but has one significant disadvantage: a drop in I/O performance, which can reach hundreds and thousands of percent.
You can minimize performance degradation by encrypting only the
/home partition (where your data resides) and leaving the system itself unencrypted. In fact, many distributions offer this option by default, but it’s not ideal either: the laptop will eat up extra resources just by watching a movie saved on disk, and if you’re a software developer or just often collect software from source, prepare for a significant slowdown.
But there is also a way out of this situation. Systems
Both file systems use AES-256 algorithm in GCM mode, but differ in implementation. EncFS encrypts each file individually and therefore hides only the contents of files and their names, but in no way prevents obtaining information about the structure of directories and file size. In other words: if someone needs to prove that you are storing a child porn archive downloaded from a darknet, they can do so.
CryFS protects against such risks. The directory encrypted with it looks like a flat file tree with a bunch of directories and files of the same size. However, CryFS has never been independently audited for EncFS. If it stops you – use EncFS, but if you don’t believe either of them, you can arm yourself with VeraCrypt or another “classic” encryption tool that uses a predefined size container that cannot be placed in a Dropbox without synchronizing all encrypted data with the slightest change.
Using EncFS and CryFS is extremely easy. It is enough to install the package and then perform the mount operation:
$ cryfs ~/Dropbox/box ~/crypto
In this case we connect the encrypted directory
~/crypto. All files recorded in the last one will appear in the first one in encrypted form.
All valuable data can be added to this directory: passport scans, GPG keys, crypto wallets work folders, password databases and so on. It will have to be connected manually after each download, and after use it is better to turn it off immediately:
$ fusermount -u ~/crypto
Authentication without password
So, the disk is protected, the password is set, but is it convenient? It’s not difficult to enter a password at boot up, which in modern notebooks is not so frequent, to enter a password to decrypt data at boot up too, but it’s not very interesting to enter it every time you unlock the screen. Moreover, the password can be viewed by your neighbors on an airplane. You need a different method, or even better, a combination of methods.
I think everyone has heard about a thing called
To make all this work, you have to follow these steps. Install pam_usb:
$ git clone https://github.com/aluzzardi/pam_usb.git. $ cd pam_usb $ make $ sudo make install
In Arch Linux pam_usb is available in the AUR:
$ yaourt -S pam_usb
Add those same random data to your flash drive (here AuthKey – random name):
$ sudo pamusb-conf --add-device AuthKey
Specify a user who will authenticate using a flash drive:
$ sudo pamusb-conf --add-user username
Check that everything is set up as it should be:
$ sudo pamusb-check username
Finally, add pam_usb to the list of PAM modules. To do this, open the file
/etc/pam.d/system-auth in Arch Linux and Fedora) and add this line to the beginning of the file:
auth sufficient pam_usb.so
In this case the flash drive will be enough for authentication. If you want to get two-factor authentication, when both flash drive and password are required, change the line to this one:
auth required pam_usb.so
Keep in mind that the author of pam_usb does not position his development as something that can be trusted to protect the state secrets and even more so the family recipe of onion soup. You can remove the dump from the flash drive, write it to another flash drive and use it for authentication.
Instead of a flash drive (or in addition to it) can take a smartphone. I am sure that at least once in your life you have used the Google Authenticator application. It implements the TOTP algorithm (Time-based One-Time Password, RFC 6238) that allows you to authenticate in one application using a one-time password generated by another application.
Google allows adapting Authenticator for authentication in its services. However in reality it isn’t tied to Google in any way and doesn’t use its servers (the key required for generation of one-time passwords is transferred directly by means of a QR code, after which the application acts independently), which allows us to use it for authentication in the system without fear of password leaks.
To do this it is necessary to install the PAM module
$ ./bootstrap.sh $ ./configure $ make $ sudo make install
In Arch Linux the installation is done in this way:
$ yaourt -S google-authenticator-libpam-git
Then run the application google-authenticator:
It will generate a QR code (or show a link to it), which should be scanned by means of the Google Authenticator application on your smartphone and also will ask you some questions. Answer negatively to all the questions, except the fourth one (increase in the time difference between the client and the server).
Then, as with the flash drive, we add the following line to
auth required pam_google_authenticator.so no_increment_hotp
One-time passwords can be easily combined with the need to insert a flash drive in different variations. To do this, simply set the second option to the desired value.
With passwords, one-time codes and encryption, we can only protect information on the laptop. To protect the laptop itself, we need a different means, namely a tracking system similar to the Find my iPhone feature. That is a system that would allow us to remotely contact the notebook, determine its coordinates, take a screenshot and take a picture with a front camera.
One of the best solutions in this area is called
$ sudo dpkg -i prey_1.7.3_amd64.deb
Arch Linux Prey is in the AUR:
$ yaourt -S prey-node-client
Just keep in mind that it will be installed on the system as
When the installation is complete, start the configurator:
$ sudo prey config account setup
He will ask you for your email address, ask you to enter your password, and this concludes the installation. To check that everything works, go to
The free Prey version allows you to find out the location of the device, OS and hardware information, turn on the alarm, lock the device, take pictures with the camera or take screenshots. To be able to delete data and download files, you have to pay five dollars a month.
Also keep in mind that unlike smartphones, which are always connected to the mobile network by default and thus are always available online, the laptop is more often offline and usually connects to open Wi-Fi-networks only after user permission. In other words, the chances to find the laptop are much less than the chances to find the phone.
One more method to fight against unwelcome guests is to take pictures of them. Let’s say you left your laptop in your room, a stranger comes in, wakes the laptop from sleep and tries to login (more precisely, tries to understand what’s going on, because we use slock). It’s time to take a picture of it.
First let’s write a script which will take a picture with the laptop’s camera. It will be extremely simple:
#!/bin/sh ffmpeg -y -t 1 -f video4linux2 -s 640x480 -r 30 -i /dev/video0 -f image2 $HOME/webcam.png
take_photo, put it in the
~/bin directory and give the execution rights:
$ chmod +x ~/bin/take_photo
Now we need to write a script that will run our script after the company wakes up. Here it is:
#!/bin/sh if [ $1 = post ] && [ $2 = suspend ]; then sudo -u YOUR_IN_SYSTEM /home/YOUR_IN_SYSTEM/bin/take_photo fi
00take_photo, put it in the
/lib/systemd/system-sleep/ directory and give the same execution rights:
$ chmod +x /lib/systemd/system-sleep/00take_photo
Now every time you wake up, your laptop will take a photo and save it to
~/webcam.png. But we can go even further and send the photo to ourselves in telegrams. For this we set
$ yaourt -S telegram-cli-git
Run the utility with the command
telegram-cli, it will ask for the phone number (phone number:) in the format +71234567890, and then the security code from the SMS and password, if it is used.
Then we will correct our script a bit
#!/bin/bash ffmpeg -y -t 1 -f video4linux2 -s 640x480 -r 30 -i /dev/video0 -f image2 $HOME/webcam-`date`.png sleep 60 telegram-cli -W -D -e "send_photo @YOUR_IMEA_B_TELEGRAM $HOME/webcam.png `date`".
Now he will not only take a photo, but also send it to our telegrams. The
sleep 60 command needs a minute delay before it is sent, so the notebook can connect to Wi-Fi.
Protecting a laptop is not as easy as smartphones that use full disk encryption with TEE acceleration, fingerprint protection and have the ability to track across all types of networks. But by applying the tricks described in this article, you can at least say that you have done your best.